Adjusted to have a separate requirement for VEX

eddie-knight · eddie-knight · commit 39507ac6168d · 2025-02-22T09:19:03.000-06:00
Signed-off-by: Eddie Knight &lt;knight@linux.com&gt;
diff --git a/baseline/OSPS-VM.yaml b/baseline/OSPS-VM.yaml
@@ -156,18 +156,30 @@ controls:
           The project MUST publicly publish data about discovered 
           vulnerabilities.
         applicability:
+          - Maturity Level 2
           - Maturity Level 3
         recommendation: |
           Provide information about known vulnerabilities in a predictable
           public channel, such as a CVE entry, blog post, or other medium.
           To the degree possible, this information should include affected
           version(s), how a consumer can determine if they are vulnerable, and
           instructions for mitigation or remediation.
+      - id: OSPS-VM-04.02
+        text: |
+          The project's released software assets MUST include VEX data to
+          provide information about the exploitability of vulnerabilities.
+        applicability:
+          - Maturity Level 3
+        recommendation: |
+          Include a VEX file or VEX data in an SBOM as part of the project's 
+          released software assets. This data should provide information about
+          the exploitability of vulnerabilities, including which conditions or
+          configurations are necessary for the vulnerability to be exploited
+          or non-applicable.
 
   - id: OSPS-VM-05
     title: |
-      Define and enforce a threshold for remediation of SCA findings related to
-      vulnerabilities and licenses
+      Define and enforce a threshold for remediation of SCA findings
     objective: |
       Ensure that the project clearly communicates the threshold for remediation
       of SCA findings, including vulnerabilities and license issues in software
